A critical command injection vulnerability [3], identified as CVE-2024-24576 and named BatBadBut [5], has been discovered in the Rust standard library by security researcher RyotaK.
Description
This vulnerability affects all versions of Rust prior to 1.77.2 on Windows systems. It arises from Rust’s handling of the CreateProcess function and escaping mechanism in command arguments [3], allowing for the execution of arbitrary shell commands when running batch files with untrusted arguments. With a CVSS score of 10.0 [1] [2] [3] [5], the severity of this vulnerability is high. However, successful exploitation may require specific conditions. RyotaK recommends reevaluating the CVSS score following FIRST implementation recommendations for software libraries [2]. To address this issue, users should update to Rust version 1.77.2, which includes patches to fix the vulnerability [4]. Additionally, relocating batch files to a directory not included in the PATH environment variable can help prevent unintended executions [1] [3] [5].
Conclusion
The BatBadBut vulnerability poses a significant risk to Windows systems running Rust versions prior to 1.77.2. By updating to the latest version and following recommended security practices, users can mitigate the potential impact of this vulnerability. Moving forward, it is crucial for developers to prioritize security assessments and implement necessary patches promptly to safeguard against similar threats in the future.
References
[1] https://www.blackhatethicalhacking.com/news/batbadbut-rust-library-bug-puts-windows-systems-at-risk-of-command-injection/
[2] https://www.infosecurity-magazine.com/news/windows-batbadbut-rust/
[3] https://www.scmagazine.com/brief/command-injection-attacks-likely-with-critical-rust-vulnerability
[4] https://heimdalsecurity.com/blog/rust-standard-library-flaw-windows/
[5] https://vulners.com/thn/THN:76A403F01CC6D2CCF29ADC054E2C5F15